Collaborate Disseminate
TPM specifications say that TPM_NV_WRITE_STCLEAR and TPM_NV_GLOBALLOCK permissions mean an NVRAM slot can be locked until the next "TPM Reset" or the next "TPM Restart". But what is the difference between "Restart&… Continue reading TPM "Reset" versus "Restart" [closed]
There is a password for the owner hierarchy and there is a password for the platform hierarchy in the TPM 2.0 specification. What is the difference what can either do that the other cannot?
Continue reading Difference between platform and owner passwords in TPM 2.0
For an NVRAM slot, I would like to create a TPM 2.0 policy that uses TPM2_PolicyPassword. I assume that tpm2_policypassword is the tool to use to create such a policy, but the man page doesn’t tell me how to specify the desired password. H… Continue reading Create a password policy for TPM 2.0
Documentation for the tpm2_nvdefine utility mentions using a policy to control access to NVRAM areas.
-L, –policy=FILE:
Specifies the policy digest file for policy based authorizations.
What do these policies look like? How are they enf… Continue reading What is in a TPM policy?
Apple Silicon-based Macs have a LocalPolicy file that controls the secure boot process. To prevent replay attacks of the LocalPolicy, hashes of nonces are used. From here:
The lpnh is used for anti-replay of the LocalPolicy. This is an SH… Continue reading How do nonce hashes prevent replay attacks on Apple Silicon?
TPM 1.2 has an NVRAM permission attribute called TPM_NV_PER_WRITE_STCLEAR. The TPM 1.2 specification describes it as
The value is writable until a write to the specified index with a datasize of 0 is successful. The lock of this attribute… Continue reading When can TPM_Start(ST_Clear) be issued to a TPM?
I haven’t seen any seen mechanism by which UEFI can detect the most recent update to a binary from being swapped out for an older binary that was signed with the same key as the up-to-date binary. Google’s vboot is the only PC firmware I k… Continue reading UEFI secure boot anti-rollback
All I want to do is create a self-signed certificate that is like this:
It has the serial number of 0.
It lacks both a start date and end date.
If this cannot be done using OpenSSL, then I’d like to have the start date be… Continue reading Creating a simple self-signed crlertificate with openssl x509/ca/req
I just now learned that what I now know to be a relay attack is actually a security problem. This is meant to be a very broad question. How are relay attacks thwarted?
Is there anyway to prevent new NVRAM areas from being defined on a TPM until the next reboot (similar to power-cycle types of protection)? The reason I ask is because firmware could check for NVRAM areas at certain hard-coded… Continue reading Preventing new NVRAM areas from being defined in a TPM